|
From: | Paul Eggert |
Subject: | Re: cp, ln, mv, install: check for vulnerable target directories |
Date: | Wed, 20 Sep 2017 00:09:46 -0700 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 |
Bernhard Voelker wrote:
I'm also worried about compatibility here: the user will be confused why cp, mv etc from coreutils are not 'just working' anymore ... he will try -f first, and then simply use something else (rsync, whatever).
You're right, we should probably disable this checking if -f is used. As for the user being confused, currently the diagnostic looks like this: $ cp passwd /tmp/d/passwd cp: vulnerable target directory '/tmp/d/passwd' (append '/' to use anyway)and suggestions to improve the wording to avoid confusion are welcome. My assumption is that typically when this diagnostic is given, users will either be surprised that the destination is a directory at all, and will slow down and ask why; or they'll be annoyed that the copy doesn't work, and append / to make it work.
[Prev in Thread] | Current Thread | [Next in Thread] |